Pass key as string instead of byte-array / JCA misuse

I am reaching out to you as we conducted an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub. During our study, we randomly inspected a few of the misuses. One of the misuses for which we could confirm the finding of the analysis, [CogniCryptSAST](https://github.com/CROSSINGTUD/CryptoAnalysis ) is within this project.

- The method [`encrypt`](https://github.com/hashmapinc/Tempus/blob/dev/dao/src/main/java/com/hashmapinc/server/dao/encryption/EncryptionServiceImpl.java#L39) expects a string as secret.  However, a string is considered as insecure to handle secrets. In Java, strings are immutable and stay in memory until collected by Java's garbage collector. Thus, they are longer visible in memory for attackers than necessary and outside of the direct control of the developer. The [JCA documentation](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx) recommend this as well. 

The report can be reproduced by running CogniCrypt_SAST on the project.

We hope that our assumption is correct and would be glad to get your thoughts on this issue.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Pass key as string instead of byte-array / JCA misuse #1170

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Pass key as string instead of byte-array / JCA misuse #1170

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions